Western Digital just rolled out a My Cloud OS update that resolves a dangerous remote access vulnerability. All My Cloud users should install the firmware update (version 5.19.117) to defend themselves from remote hacking attempts.
As reported by Bleeping Computer, participants in the Pwn2Own 2021 hacking contest figured out how to remotely execute code on My Cloud devices through their included "Netatalk Service" software. This vulnerability, called CVE-2022-23121, works without user authentication. Like last year's My Book Live vulnerability, it sounds very easy to execute.
Hackers who remotely access your cloud storage drive can wipe or copy its data. They can also upload data, including malware, to your network. That's why it's important that you update now.
Here are the devices that may be impacted by this vulnerability:
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX 4100
- My Cloud Mirror Gen 2
- My Cloud EX2100
- My Cloud DL2100
- My Cloud DL4100
Updating your drive will disable Netatalk Service, which is an open-source solution for the Apple Filing Protocol (AFP). Basically, it lets Unix-like operating systems perform file server duties for Macs. (If you're a developer who uses Netatalk Service for any application, you should update to the latest version now, as it patches the CVE-2022-23121 vulnerability.)
Note that Western Digital is still offering coupons to customers with discontinued drives. These coupons expire April 15th, so if you have an old WD cloud storage device in your home, you should contact the company.
Source: Western Digital via Bleeping Computer